Hello again. Much news, some good, some not so good on the e-crime and cyber security front. Acknowledgements and thanks to the Bank of England, BBC, Independent, Telegraph, Reuters, Bloomberg, CSO, eBay and finextra.
In response to the UK Government Financial Policy Committee’s requirement that the financial sector should test and improve its defences, The Bank of England announced a framework to do just that.
Yesterday at a British Bankers’ Association cyber security conference, Bank of England Executive Director, Resolution Andrew Gracie said that it would for the first time include private sector intelligence to supplement public sources. Banks could benefit
- access to considered and consistent cyber threat intelligence, ethically and legally sourced from organisations that have been assessed against rigorous standards
- access to knowledgeable, skilled and competent cyber threat intelligence analysts who have a detailed understanding of the financial services sector
- realistic penetration tests that replicate sophisticated, current attacks based on current and targeted cyber threat intelligence
- standard key performance indicators that can be used to assess the maturity of the organisation’s ability to detect and respond to cyber-attacks
- access to benchmark information that can be used to assess other parts of the financial services industry.
It has developed this package with CREST, the Council for Registered Ethical Security Testers (a.k.a ‘ethical hackers’) and Digital Shadows, a cyber intelligence company to develop accreditation standards binding commercial cyber intelligence providers.
It was reported, however, that banks are not bound to participate. It’s voluntary. I wonder how many will exercise the right to abstain?
The ‘no seat at the table’ argument resurfaced from various quarters – not least Ireland’s BH Consulting and 451 Group. CISO complain that they can’t be effective in managing risks as they aren’t C level Executives but more often report into the CIO or
CFO. Whilst the direction of travel is generally positive, with more notice being taken by the business of the security risks they are running, we’re not there yet.
Crowdstrike, a private US security firm, followng the US Justice Department’s recent indictments against five Chinese hackers in a PLA unit, told the world that Shanghai-based unit 61486 of the PLA 12th bureau had attacked networks of Western government
agencies and defense contractors since 2007, naming an individual and his digital footprints.
Amex had around US 75,000 customers’ card data posted online. 58,000 of those had their names published with the card number. Anonymous Ukraine is believed to be responsible.
The FBI put the Gameover Zeus botnet and Cryptolocker ransomeware out of action for a couple of weeks to allow people to protect their data. UK National Cyber Crime Unit leader Andy Archibald urged people to update their operating systems and security software
and not to click on unsolicited email hyperlinks.
But an alternative to the Zeus trojan was reported by RSA researchers to have appeared. Pandemiya costs USD 2,000, is not recycled code and is designed to steal data, take screen captures and inject content into the victim’s browser.
An EBay database was compromised, it told the world on its blog site. The database compromise included encrypted passwords, name, address, email, but not, apparently, card details. Users are unaffected because their data is stored separately and all financial
data is encrypted.
US retailer PF Chang appears to have suffered a cards data. An American blogger reported that thousands of credit and debit cards went on sale on an underground forum, Rescator, which was previously used to offload millions of cards stolen during the Target
The expansion of security start ups in Israel is to be bolstered. Israel has long been recognised as a global centre for cyber security know how. Prime Minister Netanyahu said at Cybertech this week that he will relax export licensing restrictions on cyber-related
technologies. Deloitte Touche Tohmatsu announced plans to open a cyber security operations centre in order to buy, license or partner with start ups there.
A patent was filed by a Big Blue master inventor to spot unexpected changes in the way an internet user interacts with a website as a way to prevent hackers hijacking accounts.
And plans are underway to teach children in UK schools about cyber security. New learning materials would be offered to UK schools to publicise jobs in the sector according to the Department for Business, Innovations and Skills. David Willetts, the Universities
and Science Minister, focused on the national advantage of having a cyber-literate generation, by promoting the development of the professional and technical skills needed to compete globally.
Now, where’s that key…?